Re: [Freeipa-users] how to setup apache reverse https proxy for freeipa web UI
On Wed, Jun 08, 2016 at 10:01:44AM +0200, Jan Pazdziora wrote: > On Tue, Jun 07, 2016 at 11:01:12AM -0400, Anthony Clark wrote: > > Apparently removing the GSSAPI AuthType breaks foreman-proxy, so I had to > > do this: > > > > > > > > AuthType GSSAPI > > This feels strange. The %{HTTP_HOST} is the value of the Host: header > of the HTTP request. And on my setup, with httpd-2.4.18-1.fc23.x86_64 > on the proxy, the Host: header is the hostname to which the request is > forwarded to (it would be ns01.dev.example.net in your case). After > all, the HTTP proxy is creating completely new HTTP request. > > Could you try to minimize the setup (outside of IPA) to figure out > why your Host: request header seems strange? Seeing you use mod_nss on the proxy instead of mod_ssl, I've also verified the setup with mod_nss-1.0.12-4.fc23.x86_64 on the proxy. Still, the HTTP_HOST as seen on the FreeIPA server is the FreeIPA server's hostname, not the proxy hostname. -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] how to setup apache reverse https proxy for freeipa web UI
On Tue, Jun 07, 2016 at 11:01:12AM -0400, Anthony Clark wrote: > Apparently removing the GSSAPI AuthType breaks foreman-proxy, so I had to > do this: > > > > AuthType GSSAPI This feels strange. The %{HTTP_HOST} is the value of the Host: header of the HTTP request. And on my setup, with httpd-2.4.18-1.fc23.x86_64 on the proxy, the Host: header is the hostname to which the request is forwarded to (it would be ns01.dev.example.net in your case). After all, the HTTP proxy is creating completely new HTTP request. Could you try to minimize the setup (outside of IPA) to figure out why your Host: request header seems strange? > > Once that change was made, the following proxy worked: > > > > Listen 9443 > > > > [...] > > ProxyPass / https://ns01.dev.example.net/ > > ProxyPassReverse / https://ns01.dev.example.net/ > > ProxyPassReverseCookieDomain ns01.dev.example.net password.example.net > > RequestHeader edit Referer ^https://password\.example\.net/ > > https://ns01.dev.example.net/ I would have expected this needs to be RequestHeader edit Referer ^https://password\.example\.net:9443/ https://ns01.dev.example.net/ -- with the nonstandard port specified. -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] how to setup apache reverse https proxy for freeipa web UI
On Tue, Jun 07, 2016 at 09:50:07AM -0400, Anthony Clark wrote: > One thing I noticed was that once I had set up the proxy as per the > document from Jan, I was getting access denied to /ipa until I disabled the > Kerberos authentication stuff: > > # Protect /ipa and everything below it in webspace with Apache Kerberos auth > > # AuthType GSSAPI > # AuthName "Kerberos Login" > # GssapiCredStore keytab:/etc/httpd/conf/ipa.keytab > # GssapiCredStore client_keytab:/etc/httpd/conf/ipa.keytab > # GssapiDelegCcacheDir /var/run/httpd/ipa/clientcaches > # GssapiUseS4U2Proxy on > # Require valid-user > # ErrorDocument 401 /ipa/errors/unauthorized.html > WSGIProcessGroup ipa > WSGIApplicationGroup ipa > Could you be more specific about the issue? What actions were you doing and at what point did you see the access denied, perhaps also increase the LogLevel to debug in the FreeIPA's Apache configuration and check the error_log and ssl_error_log. I did not observe the access denied before or after logging in and I'd like to get to the root of this. Thank you, -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] how to setup apache reverse https proxy for freeipa web UI
Apparently removing the GSSAPI AuthType breaks foreman-proxy, so I had to do this: AuthType GSSAPI AuthName "Kerberos Login" GssapiCredStore keytab:/etc/httpd/conf/ipa.keytab GssapiCredStore client_keytab:/etc/httpd/conf/ipa.keytab GssapiDelegCcacheDir /var/run/httpd/ipa/clientcaches GssapiUseS4U2Proxy on Require valid-user ErrorDocument 401 /ipa/errors/unauthorized.html WSGIProcessGroup ipa WSGIApplicationGroup ipa Apologies for the post spam. On Tue, Jun 7, 2016 at 9:50 AM, Anthony Clark wrote: > One thing I noticed was that once I had set up the proxy as per the > document from Jan, I was getting access denied to /ipa until I disabled the > Kerberos authentication stuff: > > # Protect /ipa and everything below it in webspace with Apache Kerberos > auth > > # AuthType GSSAPI > # AuthName "Kerberos Login" > # GssapiCredStore keytab:/etc/httpd/conf/ipa.keytab > # GssapiCredStore client_keytab:/etc/httpd/conf/ipa.keytab > # GssapiDelegCcacheDir /var/run/httpd/ipa/clientcaches > # GssapiUseS4U2Proxy on > # Require valid-user > # ErrorDocument 401 /ipa/errors/unauthorized.html > WSGIProcessGroup ipa > WSGIApplicationGroup ipa > > > > > Once that change was made, the following proxy worked: > > Listen 9443 > > > > ErrorLog /etc/httpd/logs/password-error_log > TransferLog /etc/httpd/logs/password-access_log > LogLevel debug > > NSSEngine on > > NSSCipherSuite > +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha > > NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2 > > NSSNickname Server-Cert > > NSSCertificateDatabase /etc/httpd/alias > > NSSProxyEngine on > NSSProxyCipherSuite > +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha > > ProxyPass / https://ns01.dev.example.net/ > ProxyPassReverse / https://ns01.dev.example.net/ > ProxyPassReverseCookieDomain ns01.dev.example.net password.example.net > RequestHeader edit Referer ^https://password\.example\.net/ > https://ns01.dev.example.net/ > > > I hope this helps someone down the line. > > -Anthony Clark > > > On Mon, Jun 6, 2016 at 7:29 AM, Karl Forner wrote: > >> Thanks a lot Jan. It works perfectly, and it is crystal-clear. >> Best, >> Karl >> >> On Mon, Jun 6, 2016 at 11:13 AM, Jan Pazdziora >> wrote: >> > On Fri, Jun 03, 2016 at 10:42:59PM +0200, Jan Pazdziora wrote: >> >> >> >> Hope this helps. I will likely do another writeup about this setup. >> > >> > >> https://www.adelton.com/freeipa/freeipa-behind-proxy-with-different-name >> > >> > -- >> > Jan Pazdziora >> > Senior Principal Software Engineer, Identity Management Engineering, >> Red Hat >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] how to setup apache reverse https proxy for freeipa web UI
One thing I noticed was that once I had set up the proxy as per the document from Jan, I was getting access denied to /ipa until I disabled the Kerberos authentication stuff: # Protect /ipa and everything below it in webspace with Apache Kerberos auth # AuthType GSSAPI # AuthName "Kerberos Login" # GssapiCredStore keytab:/etc/httpd/conf/ipa.keytab # GssapiCredStore client_keytab:/etc/httpd/conf/ipa.keytab # GssapiDelegCcacheDir /var/run/httpd/ipa/clientcaches # GssapiUseS4U2Proxy on # Require valid-user # ErrorDocument 401 /ipa/errors/unauthorized.html WSGIProcessGroup ipa WSGIApplicationGroup ipa Once that change was made, the following proxy worked: Listen 9443 ErrorLog /etc/httpd/logs/password-error_log TransferLog /etc/httpd/logs/password-access_log LogLevel debug NSSEngine on NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2 NSSNickname Server-Cert NSSCertificateDatabase /etc/httpd/alias NSSProxyEngine on NSSProxyCipherSuite +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha ProxyPass / https://ns01.dev.example.net/ ProxyPassReverse / https://ns01.dev.example.net/ ProxyPassReverseCookieDomain ns01.dev.example.net password.example.net RequestHeader edit Referer ^https://password\.example\.net/ https://ns01.dev.example.net/ I hope this helps someone down the line. -Anthony Clark On Mon, Jun 6, 2016 at 7:29 AM, Karl Forner wrote: > Thanks a lot Jan. It works perfectly, and it is crystal-clear. > Best, > Karl > > On Mon, Jun 6, 2016 at 11:13 AM, Jan Pazdziora > wrote: > > On Fri, Jun 03, 2016 at 10:42:59PM +0200, Jan Pazdziora wrote: > >> > >> Hope this helps. I will likely do another writeup about this setup. > > > > https://www.adelton.com/freeipa/freeipa-behind-proxy-with-different-name > > > > -- > > Jan Pazdziora > > Senior Principal Software Engineer, Identity Management Engineering, Red > Hat > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] how to setup apache reverse https proxy for freeipa web UI
Thanks a lot Jan. It works perfectly, and it is crystal-clear. Best, Karl On Mon, Jun 6, 2016 at 11:13 AM, Jan Pazdziora wrote: > On Fri, Jun 03, 2016 at 10:42:59PM +0200, Jan Pazdziora wrote: >> >> Hope this helps. I will likely do another writeup about this setup. > > https://www.adelton.com/freeipa/freeipa-behind-proxy-with-different-name > > -- > Jan Pazdziora > Senior Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] how to setup apache reverse https proxy for freeipa web UI
On Fri, Jun 03, 2016 at 10:42:59PM +0200, Jan Pazdziora wrote: > > Hope this helps. I will likely do another writeup about this setup. https://www.adelton.com/freeipa/freeipa-behind-proxy-with-different-name -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] how to setup apache reverse https proxy for freeipa web UI
On Thu, Jun 02, 2016 at 03:00:36PM +0200, Karl Forner wrote: > > My problem is: > I have an ipa.example.com server on the internal network, with > self-signed certificates. > I'd like to be able to connect to the UI from the internet, using > https with other certificates (e.g. let's encrypt certificates). > > So I tried to setup an SNI apache reverse proxy, but I could not make it work. > I saw this blog > [https://www.adelton.com/freeipa/freeipa-behind-ssl-proxy] but I can > not use the same FQDN name for the LAN and the WAN. > > I tried many many things, I could have the login form, but never could > not connect. What is the correct way of doing this ? If the hostname of the proxy and the FreeIPA server differ, you will likely need some additional configuration on the proxy, to make sure cookies produced by the FreeIPA server are used by the browser for the subsequent HTTP requests, and also to make the Referer header match FreeIPA's expectations. Something like ProxyPassReverseCookieDomain ipa.example.com ipa.public.company.com RequestHeader edit Referer ^https://ipa\.public\.company\.com/ https://ipa.example.com/ Note that you will not be able to use SSO (Kerberos) authentication for the accesses via the ipa.public.company.com proxy but I assume that's not needed. Hope this helps. I will likely do another writeup about this setup. -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] how to setup apache reverse https proxy for freeipa web UI
Hi, My problem is: I have an ipa.example.com server on the internal network, with self-signed certificates. I'd like to be able to connect to the UI from the internet, using https with other certificates (e.g. let's encrypt certificates). So I tried to setup an SNI apache reverse proxy, but I could not make it work. I saw this blog [https://www.adelton.com/freeipa/freeipa-behind-ssl-proxy] but I can not use the same FQDN name for the LAN and the WAN. I tried many many things, I could have the login form, but never could not connect. What is the correct way of doing this ? Thanks, Karl -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project